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By 2025, risk functions in banks will likely need to be fundamentally different than they are 
today. As hard as it may be to believe, the next ten years in risk management may be subject to 
more transformation than the last decade. And unless banks start to act now and prepare for 
these longer-term changes, they may be overwhelmed by the new requirements and demands 
they will face. 


The structural trends that are driving many of these substantial shifts stem from multiple 
sources. Regulation will continue to broaden and deepen as public sentiment becomes 

less and less tolerant of any appearance of preventable errors and inappropriate business 
practices. Simultaneously, customers’ expectations of banking services will rise and change as 
technology and new business models emerge and evolve. Risk functions will also have to cope 
with the evolution of newer types of risk (e.g., model, contagion, and cyber) —all of which require 
new skills and tools. Fortunately, evolving technology and advanced analytics are enabling 

new products, services, and risk-management techniques, while de-biasing approaches that 
improve decision making will help risk managers make better choices about risks. However, 
the risk function of the future will probably be expected to deliver against all these requirements 
and deal with these trends at a lower cost, because banks will in all likelinood have to reduce 
their operating costs substantially. 


So what will the risk function look like in 2025? It is likely to have broader responsibilities, to 

be very engaged at a strategic level, and to have much stronger, collaborative relationships 
with other parts of the bank. At the same time, its talent pool will probably have experienced 

a massive shift in expertise toward better analytics and greater collaboration, and away 

from operating processes. Most of the latter can reasonably be expected to be automated, 
real-time, and paperless by then. IT and data will likely be much more sophisticated, often 
employing big data and complex algorithms. As a result, the risk function may be able to make 
better risk decisions at lower operating costs while creating Superior customer experiences. 


If banks want their risk functions to thrive during this period of fundamental transformation, they 
need to rebuild them during the next decade. To be successful, they need to start now with a 
portfolio of initiatives that balance a strong short-term business case with enabling the long- 
term achievement of the target vision. Such initiatives could include digitizing the underwriting 
processes, use of machine-learning techniques, and interactive risk reporting. They should be 
complemented by enablers such as a shift in recruiting toward more technology-savvy profiles 
or the introduction of data lakes. However, to succeed, this transformation could also require 

a shift in the organizational risk culture—the adoption of an approach that embeds shared and 
communicated values and principles throughout the organization. 
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Introduction 


Risk management in banks has changed substantially over the past ten years. The regulations 
that emerged from the global financial crisis and the fines that were levied in its wake triggered 
a wave of change in risk functions. These included more detailed and demanding capital, 
leverage, liquidity, and funding requirements, as well as higher standards for risk reporting, 
such as BCBS 239. The management of nonfinancial risks became more important as 

the standards for compliance and conduct tightened. Stress testing emerged as a major 
supervisory tool, in parallel with the rise of expectations for bank risk-appetite statements. 
Banks also invested in strengthening their risk cultures and involved their boards more closely 
in key risk decisions. They also sought to further define and delineate their lines of defense. 
Given the magnitude of these and other shifts, most risk functions in banks are still in the midst 
of transformations that respond to these increased demands. 


In 2007, no one would have thought that risk functions could have changed as much as they 
have in the last eight years. It is a natural temptation to expect that the next decade has to 
contain less change. However, we believe that the opposite will likely be true. 


Although we do not possess a crystal ball that will tell us what banks’ risk functions will look 
like in 2025, or what financial crises or technological changes may disrupt risk management 
between now and then, we believe that six structural trends are likely to fundamentally reshape 
banks’ risk management over the next ten years. 


This paper first describes these six structural trends. It then outlines how risk functions 

may look in 2025 and highlights what senior risk managers can and should do now to start 
preparing their functions to deal with these trends. Our insights and recommendations build on 
Our experience serving a broad range of clients on risk management, research done on related 
topics (e.g., the future of banking overall, regulation, digital banking, and advanced analytics), 
and many discussions with senior executives, chief risk officers (CROs), and risk managers in 
banks worldwide. 
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1. Six structural trends will 
transform bank risk management 
over the next ten years 


While many other occurrences that will have a substantial impact on risk functions over the 
next decade are unpredictable, we believe that at least six key trends are powerful and certain 
enough to help paint a picture of the future risk function. 


Trend 1: Continued expansion of the breadth and depth of regulation 

The scope of regulation will continue to expand, propelled by four drivers. First, public and 
hence government tolerance for bank failures has shrunk since the global financial crisis, and 
the appetite for interventions using taxpayers’ money to save banks has evaporated. After 
2008, new regulations focused on the expansion of the regulatory framework by tightening 
micro- and macro-prudential regulation across the board. Open items still include the future of 
internal models for the calculation of regulatory capital and the potential use of a standardized 
approach as a floor; for instance, Basel IV is expected to reduce the complexity of banks’ 
internal models to narrow the differences between internal modeling and the standardized 
approach. Such likely changes could have substantial implications, particularly for low-risk 
portfolios such as mortgages or high-quality corporate loans. However, apart from these, the 
future prudential framework is now largely in place. 


Second, governments are policing illegal and unethical behavior much more tightly. This has 
been driven by a general shift of attention toward financial crime, the vanishing tolerance for tax 
avoidance, and the perceived increased threat of terrorism from individuals and countries since 
the September 11, 2001, attacks in the United States. Authorities look at banks’ central role 

in the payment system and their access to customer data, and are making them increasingly 
responsible in their roles as lieutenants that “police” these policy objectives. For instance, banks 
are asked to help prevent financial crimes (e.g., fraud, money laundering, breaching sanctions, 
terrorist finances) and collect taxes effectively (e.g., Foreign Account Tax Compliance Act, 
automatic information exchange). We expect this trend to continue. 


Third, governments are increasingly demanding both domestic and global compliance with 
their regulatory standards. They want “good banks,” not just “good banking practice within 
their borders.” As a result, laws and regulations are increasingly applied with extraterritorial 
effect. Although this has always been the case for a significant share of US regulations 
(e.g., the US securities laws), its scope has expanded substantially in the United States and 
other jurisdictions. It now includes anti-money-laundering regulations, sanctions, and laws 
concerning bribery, fraud, and tax collection. Other examples include the extraterritorial 
application of bribery laws in the United Kingdom and several countries in Europe, and the 
extension of the UK prudential senior-persons’ regime to managers of UK banks globally. 
Employment practices, environmental standards, and financial inclusion appear to be next. 
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Lastly, we expect the regulation of banks’ behavior toward their customers to tighten 
significantly, as the public increasingly expects improved customer treatment and more ethical 
conduct from banks. This is the culmination of a long-term trend where, over the last 150 years, 
most societies have become less and less tolerant of the exploitation of minorities or less well- 
protected populations by majorities or the more powerful.' 


This type of regulation has already reached businesses. While traditional economic theories 
suggested that market forces and competition would achieve optimal outcomes for 
consumers, it is now well understood that this is not the case. For instance, general terms and 
conditions of contracts were regulated once it became clear that consumers had neither the 
time nor the competence to negotiate detailed terms on their own. Other areas that have been 
increasingly regulated include marketing, branding, and sales practices. 


Although governments and regulators often follow shifts in public sentiment, sometimes they 
get ahead of it. Banks’ long-standing business practices have already been challenged and 
regulated in multiple areas. Examples include the prohibition of insider trading in the 1990s, the 
abolition of preferred treatment of certain clients in securities offerings, and the calculation of 
effective interest rates for consumer loans. Many jurisdictions also regulate investment sales 
practices (e.g., the EU Market in Financial Instruments Directive | and Il), mortgages (e.g., the 
Mortgage Distribution Review in the United Kingdom), and the use of inducements (e.g., the 
“kickback” payments of a share of the mutual-fund management fee to the distributor). Recent 
examples include the US Department of Labor’s proposed rule on the fiduciary responsibilities 
of investment advisers. 


We expect that this trend toward more consumer protection and “conduct” regulation will 
continue and possibly even accelerate over the next decade. Information asymmetries, barriers 
to switching, inappropriate or incomprehensible advice, and nontransparent or unnecessarily 
complex product features or pricing structures are all likely to come under much closer scrutiny. 
Bundling and cross-subsidies of products also could become problematic and could lead to 
an expectation of “fair pricing” in some markets. In certain cases, banks may even be obliged 
to inform their customers if they could switch to a product that better suits their needs (e.g., 
remortgage at better terms). This last example may sound far-fetched but is already a reality 

for energy utilities in some markets, where consumers need to be informed regularly about 
cheaper tariffs they could switch to. 


It is difficult to judge how quickly these regulatory changes will happen, and different 
jurisdictions are expected to move at different speeds. While the UK and some Continental 
European countries seem to be leading the charge right now, others could take over. These 
step changes often seem to happen because of scandals. For example, in 2007, a scandal 
involving insurance-product fees in the Netherlands triggered a regulatory response, including 
the introduction of tax incentives for competing bank and investment products, which leveled 
the playing field with insurance products, and a complete ban of commissions. Very often, 

a scandal is triggered when long-established bank behaviors clash with changed public or 
government expectations not yet codified in rules. 


' For a fuller discussion, see, for example, Steven Pinker, The Better Angels of Our Nature: Why Violence Has 
Declined, New York: Viking, 2011. 
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Once these clashes occur, the new rules apply and often have a retroactive effect, which results 
in massive costs for the banking industry (e.g., the payment protection insurance scandal in 

the United Kingdom, the calculation of interest on interest in Italy, the conversion of foreign- 
currency-denominated loans in Central Europe, and the mortgage-servicing consent orders in 
the United States). While this is contrary to the general rule that new regulations should affect 
only future business behavior, the regulatory authorities or courts often apply these retroactively 
because new rules are issued as specific interpretations of vague general principles such as the 
“fair treatment of customers.” 


Supervisory oversight practices also are evolving. In the near future, banks will probably have 
to provide supervisors with even more information and support their claims with quantitative 
data. For example, some regulators no longer accept qualitative statements about how banks 
are introducing a stronger risk culture, but demand regular staff surveys that track progress 
and benchmark the bank against its peers. Likewise, the data-submission requirements for 
Comprehensive Capital Analysis Review (CCAR) in the United States have been constantly 
growing. We expect that supervisory authorities will increasingly force banks both to measure 
how they are doing and to make this information available to them. 


It almost goes without saying that changes in regulation are unlikely to be uniform across 
countries. The speed and magnitude of the changes described here will vary significantly by 
country. Yet we believe that over the next decade, also emerging-market banks will be subject 
to much more breadth and depth of regulation than today. 


These regulatory trends are expected to have substantial implications for banks’ risk 
management, including the following: 


= Optimization within a regulatory framework. Capital, liquidity, funding, and leverage ratios, 
as well as recovery and resolution regimes, will likely force banks to construct balance 
sheets and businesses that comply with all constraints while aiming to fully utilize the 
capacity under the ratios. This limits banks’ strategic degrees of freedom and demands a 
new, highly analytical business-optimization and strategy-setting process. Risk functions 
could play a key role because of their superior skills in these areas. 


= Principles-based compliance. Compliance with existing rules is unlikely to be sufficient; 
rather, banks will need to comply with broad principles if they are going to protect 
themselves against potential future rules and interpretations with retroactive effects. For 
example, they should ask themselves whether practices are “fair” from a customer’s 
perspective, or whether they would feel comfortable fully disclosing their business practices 
to customers, supervisory authorities, and the public. If they would not be comfortable, this 
is aclear warning sign. Banks will probably need to review their entire sales and service 
approach, examining end-to-end processes along with pricing structures and levels. 


= Automated compliance. As the rules become ever more complex and the consequences 
of noncompliance ever more severe, banks will likely have no choice but to eliminate human 
interventions as much as possible in risk’s dealings with customers and to hardwire the right 
behaviors into their products, services, and processes. Where these interventions cannot 
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Exhibit 1 


Digital-banking 
penetration for 
transactions and 
services is on the rise 
across both developed 
and emerging 
countries, as Asia 
illustrates. 


2007-14, % of respondents using online banking 
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SOURCE: McKinsey survey on personal financial services in Asia, 2007-14 


be automated, robust surveillance and monitoring will be increasingly critical. This is the 
only way to ensure a very low error rate within the first line of defense and to allow proper 
oversight by the second line. 


= Collaboration with businesses. Regulatory preparedness can be achieved only if the risk 
function works even more closely with businesses than it does now. How to achieve full 
compliance and protect the bank from risks needs to be an integrative part of the thinking 
process at the beginning, not an afterthought once businesses have set up their strategies 
or designed a new product. 


Trend 2: Changing customer expectations 

Over the next decade, shifts in customer expectations and technology are expected to cause 
massive alterations in banking and give it an entirely different profile. By then, widespread 
technology use is likely to be the norm for customers. The current tech-savvy younger 
generation will be the major revenue contributor to banks by 2025, because banks make most 
of their money with customers over 40. Simultaneously, older bank customers are expected 
to adopt technology at a much higher rate. Technology use by banking customers is already 
exploding in both developing and emerging markets (Exhibit 1). 


Over the last two years, the amount of innovation has increased across the sector, and 
investment in financial-technology (fin-tech) start-ups has grown rapidly. Innovation affects 
every part of the value chain, but the most important disruption will probably occur in banks’ 
origination and sales processes. Fin-tech and technology-firm attackers do not want to 
become banks; instead, they want to take over the direct customer relationship and tap into the 
most lucrative parts of the value chain: origination, sales, and distribution.? 


2 For amore detailed discussion, see The Fight for the Customer, McKinsey’s 5th Global Banking Annual Review, 
September 2015, on mckinsey.com. 
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Exhibit 2 


A majority of profits 
and more favorable 
returns come from 
customer-facing 
activities like 
origination and sales. 


2014 revenues before risk cost, $ billion 


Balance sheet and fulfillment Origination and sales 
Lending 


Current/checking accounts 


Deposits 
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S h Transactions/payments 
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oo 
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insurance and pensions 
2,075 1,750 
Total revenues 54% 46% 
Total after-tax 436 621 
profits 41% 59% 
Return on equity 6% 22% 
Primary Source at Credit disintermediation Customer disintermediation 


disintermediation 


1 Corporate finance, capital markets, securities services. 
SOURCE: McKinsey analysis 


An examination of banks’ basic business models makes these economics clear (Exhibit 
2). Almost 60 percent of banks’ profits come from origination, sales, distribution, and other 
customer-facing activities. They earn an attractive 22 percent return on equity (ROE) from 
these, much higher than what they gain from the provision of balance sheet and fulfillment, 
which generates only a 6 percent ROE. 


Fin-tech start-ups offer an ever-wider range of highly competitive, seamless offerings. Their 
new apps and online services are beginning to break the heavy gravitational pull banks have 
always exerted on customers. One of the most important strategies they use is that they ask 
customers only to transfer a piece of their financial business at any one time. Some platforms, 
such as NerdWallet, a US start-up, and India’s BankBazaar.com, aggregate many banks’ 
offerings in loans, credit cards, deposits, insurance, etc. Others, such as fxcompared.com, 
specialize in a single product. Yet others, such as moneysupermarket.com, started with a single 
product but have extended their services into the full gamut of financial products and even 
further (e.g., energy, telecommunications, and travel). These new services make it incredibly 
simple for customers to open an account; once they have the account, customers can switch 
among providers with a single click. 


If banks want to win the fight for their customer relationships, many things will need to happen. 
Customers will likely expect intuitive experiences, access to services at any time on any device, 
customized propositions, and instant decisions. To deliver on the customers’ expectations, 
banks will probably require redesigning the whole organization from a customer-experience 
perspective and digitizing at scale. To achieve this, the risk function will need to be a core 
contributor and collaborate closely with the businesses throughout. It would most likely focus 
on two priorities: 
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Automated instant decisions. Banks have to offer rapid real-time answers to customer 
requests (e.g., applications for loans, opening accounts) with highly customized processes. 
To achieve this, risk functions will likely need to find ways to help banks assess risks and 
make decisions without human intervention. This often calls for major, zero-based process 
redesign and the use of more nontraditional data. Kabbage, a small-business-lending 
solution in the United States and the United Kingdom, is a case in point. It provides a 

rapid, convenient online loan-application experience where applicants do not have to 
submit lengthy documents. Instead, Kabbage assesses various data sources (e.g., PayPal 
transactions, Amazon and eBay trade information, and UPS shipment volume). Some banks 
are now designing account-opening processes where most of the requested data are 
prepopulated from public sources to make the onboarding experience as simple, seamless, 
and short as possible. In such cases, the risk function’s challenge is to enable a secure yet 
customer-friendly approach for identification and verification. 


“Segment of one.” As banks become more sophisticated in their customer segmentation 
and offerings, they may eventually be able to create the “segment of one” where they can 
tailor prices and products to each individual. However, this customization costs banks 
dearly because of the much more complex supporting processes. Also, regulators are 
likely to constrain banks in an attempt to protect consumers from inappropriate pricing 
and approval decisions. Risk functions will be expected to work with operations and other 
functions to find ways to manage these emerging concerns while still providing highly 
customized solutions. 


Trend 3: Technology and analytics as a risk muscle 

Technology will not only change customer behavior, but also enable new risk-management 
techniques, often coupled with advanced analytics. The proliferation of new technologies 
provides cheaper, faster computing power and data storage, which enable better risk decision 
support and process integration. While many unknown innovations will emerge over the next 
ten years, we are already experiencing the effects of some that have important implications for 
risk management, including the following: 


Big data. Today, a vast amount of customer data is available and accessible to banks. 
Faster, cheaper computing power enables banks to leverage new information—for instance, 
granular customer-payment and spending behavior, social-media presence, and online- 
browsing activity—in risk decision making. Accessing external, unstructured data offers 
substantial upside not only for better credit-risk decisions, but also for portfolio monitoring 
and early warning, the detection of financial crime, and prediction of operational losses. 
Banks have only started to exploit this potential, and many challenges remain. A major 
question is whether banks can obtain both regulatory and customer approval for models 
that use social data, and if so, what usage of data is legal and acceptable. 


Machine learning. The rapid adoption of a new breed of models is offering much deeper 
insights into data. Machine learning identifies complex, nonlinear patterns in large data 
sets and makes more accurate risk models possible (Exhibit 3). These models learn with 
every bit of new information they acquire, improving their predictive power over time. 
Many sectors already employ machine-learning techniques; examples include weather 
forecasting, Amazon product recommendations, Google’s email spam recognition, and 
Netflix suggestions. Some banks have started to experiment with them in collections or 
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Exhibit 3 


Machine learning 
surfaces insights 
within large, complex 
data sets, enabling 
more accurate risk 
models. 
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SOURCE: McKinsey analysis 


credit-card-fraud detection, with very encouraging results. Gini factors, measures of a 
model’s predictive power, often improve substantially. We expect banks’ risk functions 

to apply machine learning in multiple areas, such as financial-crime detection, credit 
underwriting, early-warning systems, and collections in the retail and small-and-middle- 
enterprise (SME) segments. However, widespread adoption of self-learning models may 
face regulatory challenges, since such models cannot be validated in the traditional way. 
Even if regulators do not approve such models for regulatory-capital purposes, we still 
expect banks to use them for other purposes, given their significant accuracy advantages. 


= Crowdsourcing. The Internet enables the crowdsourcing of ideas, which many incumbent 
companies use to improve their effectiveness in certain areas. Allstate, an insurance 
company, hosted a challenge for data scientists to crowdsource an algorithm for car- 
accident insurance claims.® Within three months, they improved the predictive power of their 
model by 271 percent. 


Many of these technological innovations can reduce risk costs and fines. Banks that apply 
these techniques early and boldly can gain a competitive advantage. However, data privacy 
and protection are expected to be an important prerequisite. 


Trend 4: Additional (nonfinancial) risk types are emerging 

Although management of financial risks has advanced significantly over the last 20 years, this 
is not the case for other risk types, particularly nonfinancial ones. The tremendous increase in 
fines, damages, and legal costs related to operational and compliance risk over the past five 
years has forced banks to pay much more attention to these risks. This will probably increase 
even further, due to the regulatory trends discussed earlier and given the expected rise in 
capital requirements for operational risk. 


3 Clint Boulton, “How Allstate used crowdsourcing to tune up its car insurance business,” Wall Street Journal, 
March 27, 2012, wsj.com. 
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As ifthis were not enough, other crucial risk types have been emerging. Examples include the 
following: 


= Contagion risk. Financial and macroeconomic connectedness makes economies, 
corporations, and banks more vulnerable to financial contagion. Negative market 
developments can spread to other parts of a bank, other markets, or involved parties and 
can cause a bank’s operating environment to deteriorate quickly and significantly. This 
can occur domestically and across borders, based on international capital flows and the 
globalization of finance.* The more closely connected the markets, the more quickly volatility 
spreads. 


Although central banks are the primary entities that worry about contagion risk, individual 
banks need to understand how they can be exposed to it. Banks have to measure and track 
it. Reducing this risk can reduce the bank’s total risk and lower its capital requirements, 
because a bank’s exposure to contagion risk is one of the main underlying drivers for 

its classification as a global systemically important bank (G-SIB) and for G-SIB capital 
surcharges. 


= Model risk. Banks’ increasing dependence on models requires that risk managers better 
understand and manage model risk. Increased data availability and advances in computing, 
modeling, and algorithms have expanded model use. However, errors from suboptimal 
models can lead to poor decision making and increase banks’ risks. Some banks have 
experienced model-risk-related losses, although most of these cases are not reported 
publicly. For instance, one large US bank had losses of $6 billion, which were partially due to 
value-at-risk model risk (i.e., lack of modeling experience by the operator, no back-testing, 
and operational problems in the model). In another example, a large Asia-Pacific bank 
lost $4 billion when it falsely applied interest-rate models—for example, through incorrect 
assumptions, data-entry errors, and breakdowns and errors in the models. 


Model errors stem from issues with data quality, conceptual solidity, technical or 
implementation errors, correlation or time inconsistencies, and uncertainties about volatility. 
There are multiple mitigation strategies, which center on more rigorous, sophisticated 
model development, better execution (with higher-quality data), thorough validation, and 
constant monitoring and improvement of the model. 


= Cyberattacks. Most banks have already made protection against cyberattacks a top 
strategic priority, as these attacks can have devastating consequences. This is partially due 
to the banks’ heavy reliance on software, systems, information technology (IT), and data, 
but also to the fact that that these attacks would risk not only the banks’ operations but also 
confidential customer data. Given the current geopolitical context and its likely evolution, 
we expect cybersecurity only to increase in importance and require an even greater 
deployment of resources at the individual-institution level, as well as much greater cross- 
industry and industry-government collaboration. 


Risk functions will most likely need new capabilities and processes to manage and track these 
emerging risks. 


* Whether this will continue is not clear; see McKinsey Global Institute, Financial globalization: Retreat or reset?, 
March 2013, on mckinsey.com. 


> Dawn Kopecki and Michael J. Moore, “JPMorgan switches risk model again after whale loss,” Bloomberg 
Business, April 12, 2013, bloomberg.com. 
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Trend 5: Better risk decisions through the elimination of biases 

Another risk is that of making wrong decisions due to unrecognized biases. Over the last 30 
years, enormous strides have been made in understanding how real humans, not the Homo 
economicus of traditional economic theory, make economic decisions. We have learned that 
even when people attempt to approach a problem rationally and diligently, their decisions are 
often suboptimal, due to various conscious and unconscious biases. People are overconfident 
(e.g., 93 percent of car drivers in the United States put themselves in the top 50 percent of 

all drivers; 87 percent of Stanford MBA students rated themselves as above average in an 
experiment). 


Businesses are no exception to this. For example, business cases are almost always inflated. 
We look for confirmation and disregard evidence that does not fit the picture. “Anchoring” 
occurs frequently in group discussions; for instance, if the first person speaking up argues in 
favor of an outcome, the likelihood is very high that most if not all the others will vote for the 
same outcome later. In the context of bank risk management, think of a credit application for a 
corporate loan that reads, “While the management team only recently joined the company, it 
is very experienced.” In this case, the credit officer appears to have made up his or her mind, 
wants the credit approved, and is putting balancing evidence in a narrative that neutralizes the 
potentially negative evidence. These are just some of the most important biases.® 


Leading academics and practitioners have translated these insights into techniques for 
overcoming such biases, and various industries are beginning to apply them with promising 
results. Several of these sectors are far more advanced in this arena than banking. For example, 
some energy utilities that have to make multibillion-dollar investments that can make or break 
the company (e.g., building a nuclear-power plant) have completely redesigned their major 
investment-decision processes with the help of these techniques. These are very relevant for 
banks, which make thousands of risk decisions every day; every bias that affects each decision 
can lead to an incorrect underwriting decision or poor pricing. Not only that, but a cascade 
effect can set in, with multiple biased decisions having a cumulative effect on the bank’s overall 
risk levels. 


We expect significant advances in the development and employment of de-biasing techniques 
in the near future. Bank risk functions can already apply the following: 


a Bias recognition. The first step is an assessment of which risk decisions in the bank 
are subject to biases. Once this is understood, it is easier to identify them and reduce 
their impact. This is less trivial than it sounds. While it is relatively clear that biases are 
always present when people make risk decisions, as in the case of large-corporate- 
loan underwriting, is this also true with models? They are certainly less problematic than 
credit decisions made by people. However, they are subject to biases when they are built. 
Traditional regression models start with the modeler’s hypothesis about which factors have 
predictive power and should be included. Exploring machine learning offers an alternative 
approach, where the algorithms themselves determine the drivers of risk. 


= Elimination techniques. Banks can use three techniques to reduce or avoid decision 
biases: Analytical measures provide decision makers with more fact-based inputs; debate 
techniques help remove biases from conversations and decisions; and organizational 
measures embed the new way of decision making into the company (Exhibit 4). 


€ For a fuller discussion, see, for example, Daniel Kahneman, Thinking, Fast and Slow, New York: Farrar, Straus & 
Giroux, 2011. 
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Exhibit 4 


Three techniques 
can de-bias decision 
making. 


EXAMPLE: Qualitative credit assessment (QCA) 


QCA was developed for small-and-middle-enterprise 

credit decisions in emerging markets where satisfactory 

financial data are not available and banks must rely on 

expert judgment 

= Converts judgment into consistent, objective, 
practically quantitative data 


= Mitigates human biases with several 
methodologies: 
— Very objective and precise 
questions and answers 


— De-biased survey design (e.g., 4 
answer categories) 


— Additional, redundant 
questions to obscure logic 
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= Increased use of analytical models 


=" Real-option valuation 


EXAMPLE: De-biasing training 
= All relevant employees undergo 
de-biasing training 
= Core topics included: 
— Types of decision biases 


— Practical techniques to 
recognize and address such 
biases 


SOURCE: McKinsey analysis 


Further examples 
= Central de-biasing team 
= Rolling budget 


EXAMPLE: Discussion rules 


This set of rules eliminates opinionated 
discussion and provides room for fact- 
finding 

Presenter presents a case (e.Q., 
credit proposal, promotion) 

Group of judges may formulate 
questions; no statements allowed 


Presenter answers questions; no 
discussion allowed 


One group member frames potential 
decisions and need-to-believes 


Group votes anonymously 


Further examples 
= Reanchoring 

= Criteria for yes 
= Devil's advocate 


One example of the analytical method is qualitative credit assessment (QCA). Several 
banks around the globe implemented QCA for the underwriting of SME loans in emerging 
markets, where financial data are often unavailable, insufficient, or unreliable. Banks 
typically rely on expert judgment in these cases. While this is unavoidable, much can 

be done to improve the quality of this decision making. QCA identifies a long list of 
potential predictive factors in workshops with the best credit officers, then filters them 

by back-testing them against the loss history. These are then translated into structured 
questionnaires, which reduce biases (e.g., with a qualitative description of what constitutes 
good or bad, or use of four grades for each factor to avoid a middle option, because 


people tend to choose that). 


A particular debate technique implements strict discussion rules for credit committees, 
rules that eliminate opinionated discussion and promote fact-finding. After everybody has 
read the papers and the presenter summarizes the case, participants are only allowed to 
ask the presenter factual questions; the case is then put to an anonymous vote (to avoid the 
anchoring bias). If the vote is unclear, the case is discussed and potentially re-raised. 


The future of bank risk management 


The risk function could be the front-runner for de-biasing within banks. It could even become 
a center of competence that rolls out de-biasing processes and tools to other parts of the 
organization. 


Exhibit 5 


Global banking profits 
have returned to the 
long-term average of 
8%-12% return on 
equity (ROE). 


Global banking ROE,‘ 1980-2014 
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1980 1990 2000 2008 2014 

ROE by region, 2014 
Developed Emerging 
North America 8.5 China 18.4 
Western Europe 3.2 Emerging Asia? 13.6 
Other developed? 9.5 Latin America 17.9 


Other emerging* 11.6 


1 Based on a sample of listed banks with >$10 billion in assets. 

2 Australia, Hong Kong, Israel, Japan, Singapore, South Korea, Taiwan. 

3 India, Indonesia, Malaysia, Pakistan, Philippines, Thailand, Vietnam. 

4 Bahrain, Egypt, Hungary, Jordan, Kuwait, Lebanon, Morocco, Nigeria, Oman, Poland, Qatar, Republic of South Africa, Romania, Russia, Saudi Arabia, 
Togo, Turkey, United Arab Emirates. 


SOURCE: Bloomberg; Compustat; Datastream; OECD; Thomson Reuters; McKinsey analysis 


Trend 6: Need for strong cost savings 

The banking system has suffered from slow but constant margin decline in most geographies 
and product categories. Banks have worked very hard and used operational cost 
improvements to compensate for these declines, resulting in constant return on equity at the 
lower end of the long-term average, which is in the upper single digits (Exhibit 5). 


While there will probably be substantial regional differences, the downward pressure on 
margins is expected to continue across all geographies. We even expect this pressure to 
accelerate due to further tightening of regulations (e.g., capital requirements, increasing 
compliance costs) and the emergence of low-cost digital attackers. Some products are 
expected to be particularly affected. For example, by 2025, up to 40 percent of revenues could 
be at risk in certain product categories if banks do not act (Exhibit 6).7 


As aresult of these disruptions, banks will possibly need to rethink their operating costs so they 
can deliver more value at lower cost. Once banks have exploited traditional and incremental 
cost-cutting approaches such as zero-based budgeting, value-added analysis (i.e., demand 
management), and outsourcing, we believe that simplification, standardization, and digitization 
will likely be the only sizable avenues left for substantial cost savings. 


7 For amore detailed discussion, see The Fight for the Customer, McKinsey’s 5th Global Banking Annual Review, 
September 2015, on mckinsey.com. 
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Five retail businesses 
have substantial 
value at risk. 


Expected ‘value at risk’ of banking revenues and profits by 2025 


EXAMPLE: Retail- Revenues,’ Profits,’ | Sample analysis: Consumer finance 
banking products % change % change | Revenues, 2025, $ billion 
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1 Compared with 2025 projections without the impact of fin-tech and digital attackers. Profit numbers include impact of savings 
on operating costs as a result of digital. Revenues are after risk cost, profits are after taxes. Figures are rounded. 

2 Excluding deposits. 

3 Including currently unbanked segments. Fin-techs are financial-technology companies. 


SOURCE: McKinsey analysis 


Risk functions cannot be over the long term exempted from contributing to these cost savings. 
At the same time, they will need to invest substantially to address many of the structural trends 
described earlier. There is no easy solution to this challenge under the current industry and 
regulatory constructs, and we believe banks will need to reexamine these decisions over the 
next decade. 
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2. By 2025 bank risk functions will probably 


be even more critical in making banks 
successful than they are today 


Because of the six fundamental trends, banks are likely to face a multifaceted challenge: 
become more effective in identifying and mitigating risks, more efficient and faster in supporting 
businesses and fulfilling customer needs, better suited to support decision making across 

the organization, and better prepared to meet regulatory expectations. We believe that our 
suggested vision for the risk function in 2025 would address these challenges—but this future 
risk function is a significant departure from today’s in multiple areas. 


In 2025, risk functions in banks have the potential to be the primary architects of seamless, 
de-biased risk decisions and monitoring throughout the organization. They could deliver higher 
value by lowering risk and operating costs, contributing more to intuitive customer experiences, 
and helping steer the bank as it complies with regulations. This vision entails the risk function 
driving the following actions: 


= Minimizing manual interventions while making modeling, simplification, standardization, and 
automation much more the rule when dealing with regulations, delivering superior customer 
experiences, capturing the benefits of big data, and de-biasing decisions. This is expected 
to substantially reduce nonfinancial risk and lower the risk function’s operating expenses. 


=" Collaborating more closely with businesses—for example, on revised customer journeys 
or the joint reduction of operational risk—and with other functions, such as with strategic 
planners on balance-sheet optimization. This helps the bank respond to new regulations, 
develop compelling customer experiences, de-bias decisions, address emerging risk types, 
and lower costs. 


= Becoming a strong advocate of corporate values and principles through a more robust risk 
culture that is defined, communicated, and reinforced throughout the bank. When in place, 
risk detection, assessment, and mitigation are part of the daily job of all employees across 
the entire organization. Various initiatives help embed the mind-sets and behaviors that 
make up this risk culture. 


m Developing and hiring people with different skills who can build and manage the new 
models and data sets, and collaborate with the businesses and other functions. 


The risk function will probably become even more strongly embedded in all areas of the 
organization. To carry out these changes, it will likely need to transform its operating model, 
processes, IT/data infrastructure, and talent pool. 


The operating model 

The operating model is expected to change significantly as analytical services and advisory 
and counseling relationships become more important parts of risk management (Exhibit 7). For 
instance, the risk function will need to be able to work with strategy to manage all regulatory 
constraints proactively. It also will need to build the analytical capabilities to manage all current 
and new models and analytical approaches, such as machine learning. 


The future of bank risk management 


Exhibit 7 


The future risk- 
management 
operating model 
will shift resources 
from operational 
processes to 
analytics. 


Changed profiles of risk-management staff 


% of central risk full-time equivalents 
(FTEs) 


Analytics New 
areas Massive shift toward analytics and 


Central new areas (modern-day quants and 
functions business translators) 
Reporting jae | 
Biggest FTE reduction will be in 
. operational processes and reporting 
Operational 
processes 


Today! 2025 


1 McKinsey Risk FTE benchmarking 2014/2015. 
SOURCE: McKinsey analysis 


During this transition, some areas will probably stay the same size but shift their focus. For 
example, the risk function’s management will likely benefit from the leaner overall model, 
engage more with businesses and other functions to improve customer journeys and product 
propositions, reduce nonfinancial risks at their source, and assist in the bank’s overall strategy. 


The risk function is also expected to take on new responsibilities for stakeholder management, 
de-biasing, regulatory management, and emerging risks. Its individual and industry activities 
will likely intensify as it concentrates on internal and external stakeholder management, and 

it will probably establish a de-biasing department to help ensure that relevant employees are 
trained in de-biasing techniques. In addition, a risk-process task force could instill the notion 
of continuous improvement and zero-based process redesigns within the risk organization. 
New teams could focus on the emerging risk types that banks are expected to encounter (é.g., 
model, contagion, and cyberattacks). As a result, some parts of the risk function will probably 
have a great many more resources than today—for instance, those that cover new risk types. 


Processes 

Some areas, including manual operational processes and risk reporting, will likely need fewer 
resources because of simplification, standardization, and automation. While risk decision 
making is expected to be firmly embedded in end-to-end customer journeys, the underlying 
processes are highly likely to be paperless, with automatic, real-time processing. The division of 
tasks between machines and people will most probably be very different from today. Humans 
would only review select cases that do not fall firmly within the bank’s policies, approve 
decision proposals, and perform case handling for very complex cases. This is expected to be 
true for both retail and SME banking. Automation also offers significant potential for wholesale 
banking when rolling over loan facilities or when making credit decisions for existing clients 
about trade-finance or receivable-finance products. 
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Nonfinancial risks present another major opportunity for embedding the controls directly in 

the core processes. In operational risk, we expect human activity to focus on eliminating the 
risk at source, designing key risk indicators (KRIs), implementing control points, and creating 
procedures for incident management. Most other activities, including monitoring, are expected 
to be automated over time. As a result, the number of compliance staff will probably decline; for 
example, the detection of financial-crime cases would rely on models like machine learning. 


IT/data infrastructure 

The supporting IT infrastructure and data could take a variety of forms, although the most 
recent trends lean toward a “two-speed architecture” and data lakes. A two-speed architecture 
decouples the bank’s IT architecture into a slower, reliable back-end (e.g., the bank’s core IT 
systems, often the legacy systems) and a flexible, agile front-end that is customer-facing. A data 
lake gathers and stores all types of data, structured and unstructured, internal and external. 
Data entering the bank need not follow strict rules (as would be required of data entering an 
enterprise data warehouse). Instead, the users of the data define the rules when they extract 
the data from the lake. By combining this flexibility with Google-like search technology, the 

data lake provides banks with a step-change that helps them leverage their data for multiple 
purposes, ranging from marketing to risk to finance. The scope and flexibility of the system help 
banks use big data tools for complex data investigation and analysis. 


Getting to the target state, especially in terms of systems and infrastructure, is expected 

to require significant expenditures. While remaining in the forefront is likely to make such 
investments vital, the cost pressures described here would probably make this task a nontrivial 
consideration. In all likelinood, some banks will lag behind because they are unable or unwilling 
to make these investments. 


Talent pool 

Talent and resources in the risk function will likely need to shift toward analytics, collaboration, 
and the function’s other new areas of responsibility; at the same time, substantially fewer 
people are expected to be involved in manual risk decision making. The new staff will most 
probably be highly talented data scientists who have advanced mathematical and statistical 
knowledge and are experts in machine learning and other sophisticated data-analysis 
methods, as well as business translators who can work well with other parts of the bank to 
convert data insights into business actions. As these risk managers become trusted counselors 
to business areas, they can be expected to form a strong contrast to today’s operators and 
specialists, who focus more on case processing. 


As banks search for the best candidates for these positions, they will likely find themselves 
competing directly against technology firms for the best candidates. Building cooperative 
relationships with universities and financial-technology companies will probably help banks 
gain access to this talent. To win these candidates, the risk function will need to reshape its 
employee value proposition and tailor it to these new recruits. The function would also need to 
change its culture to one that promotes entrepreneurship and creativity. These new recruits will 
likely need a sophisticated technology environment with high-end digital tools, and training and 
development so they can keep abreast of emerging trends. 
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3. Banks need to start transforming their 
risk functions now through initiatives with 
an immediate impact 


Achieving the target state will most likely require a major transformation of the risk function. 
However, it is impossible to define a detailed blueprint for how a risk function will look in 2025. 
Nor can one predict all the technological advances, the macroeconomic shocks, the next 
banking scandals, or the innovations in risk-management practices that will happen over the 
next decade and that will influence the shape of the future risk function. 


However, the six trends alone are sufficient to form the basis of a clearly articulated vision, 
which can help to mobilize today’s risk function and identify initiatives that are critical to move 
the risk function in the right direction. Successful functions will also fulfill the many more current 
demands, such as investments in stress-testing capabilities, the full implementation of the three 
lines of defense framework, and investments in data quality and reporting (BCBS 239). 


CROs who want to prepare their risk function for the future need to develop transformation 
agendas that combine the initiatives that are necessary due to current demands with those that 
make substantial contributions to preparing the function for the future and moving it toward the 
vision. We firmly believe that the initiatives that position the risk function for the future need to 
have a strong short-term business case as well. 


The following five potential initiatives can all help risk functions prepare for the future. 


Initiative 1: Digitization of core processes 

Many banks are already digitizing many of the core processes that affect the risk function (e.g., 
client onboarding, Know Your Customer, and credit processes). In our experience, banks can 
usually do more in this area than many risk managers currently suspect. In just one example, 

a bank’s credit-process digitization reduced end-to-end processing time for the opening of a 
digital current account by more than 90 percent, and lowered overall costs by more than 60 
percent. It also reduced financial-crime risk substantially. The bank’s compliance department 
originally thought new customers had to come to the branch to have their identity verified 
through an in-person meeting. It believed that this was a local regulatory requirement. However, 
the bank was able to redesign and automate the process. The customer took a picture of his 
or her passport or identity card plus a utility bill and submitted this with the online application. 
The information was sent automatically to a third party, which used sophisticated software 
and access to various databases to automatically verify the identity and the validity of the 
identification documents. 


The local regulator approved this solution because the bank could demonstrate that the 
reliability of the automated system was much higher, as it did not entail human errors, and that 
the sophisticated software, with access to the right databases, was much better positioned 

to spot false documents. It also better protected the bank against fines should the system 
make mistakes, because the bank would only need to demonstrate that it designed the right 
process and exercised the right level of third-party-vendor oversight, but did not itself make any 
mistakes in onboarding the client. 
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Many risk functions support their businesses when those businesses ask risk to help 

them redesign their core processes. However, fewer risk functions proactively reach out 

to businesses with suggestions about digitizing embedded risk decisions. We believe risk 
functions could unlock significant savings ifthey were more proactive with their colleagues. In 
addition, process digitization often creates a win-win situation: increased efficiency and lower 
costs are often coupled with superior customer experience and results in improved sales. 


Initiative 2: Experiment with advanced analytics and machine learning 

Risk functions should start to experiment with analytics (e.g., machine learning) in some areas, 
such as credit decisions. These algorithms have already significantly improved credit decisions 
on multiple occasions for some banks. For example, one bank that used machine learning in 
its early-warning systems increased Gini scores on high-risk clients from the low to mid-70s 

to about 90 percent. On collections, it brought Gini up to the low-90-percent range from the 
mid-60s and 70s. All of these represent significant improvements. In a recent European credit- 
card example, machine-learning techniques improved the “Late on same day” Gini score by 18 
percentage points (from 71 percent to 89 percent) and the “Default on day 90” Gini score by 18 
percentage points (from 75 percent to 93 percent). We believe that applying machine-learning 
algorithms can help banks improve the identification of risky customers. 


Initiative 3: Enhanced risk reporting 

Developing next-generation risk reporting can start to enhance risk management now. BCBS 
239 requirements have already prompted enormous efforts at all G-SIBs and domestic 
systemically important banks (D-SIBs). These initiatives usually improve overall data quality, 
aggregation capabilities, and risk-reporting timeliness. They typically focus less on format, 
how the reports are delivered, or how they could be better used in risk decision making. 
However, we have seen some innovative thinking by a few banks in these latter areas. They 
have employed management information systems that replaced paper-based reports with an 
interactive tablet solution that offers a great deal of information in real time and allows users 
to do root-cause analyses. These solutions were firmly embedded in the banks’ performance 
management processes. We could envision something very similar for risk reporting. Such 
improved reports would enable banks to make decisions faster, based on more transparent 
and consistent data, and improve the quality of fact-based decisions. In addition, real-time 
risk reporting would help banks identify potential risks even sooner, allowing a more timely 
response. 


Initiative 4: Balance-sheet optimization 

The risk-management function could also work with finance and strategy to optimize the bank’s 
balance sheet under all regulatory constraints. Some banks already employ this technique. 
They use a structured process that aligns the balance-sheet data (if needed, it utilizes the most 
important balance sheets for international groups) and then agrees on economic scenarios, 
strategic assumptions (e.g., how much the bank would be prepared to increase or shrink a 

loan portfolio), and regulatory assumptions. Finally, the process has an optimization engine 
make suggestions for an optimized balance sheet. Typically, this yields suggestions for ROE 
improvements of 50-400 basis points, where the adjustments in the range of 50-150 basis 
points are typically moderate. Exhibit 8 provides an example of such an optimization. 


In our experience, an optimization engine almost always produces counterintuitive insights, 
because the various regulatory ratios (e.g., capital ratios, net stable funding ratio, liquidity 
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Balance-sheet 
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increase key ratios. 
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coverage ratio, total loss-absorbing capacity, recovery and resolution requirements, Dodd- 
Frank, and ringfencing) are so complex and interrelated that it is almost impossible to find the 
optimal outcome without the support of an optimization engine. 


The other advantage of building such an engine is that once it has been built, the numbers 
can be rerun when regulatory ratios or strategic assumptions change. Different regulatory 
scenarios, such as Basel IV, can be tested. Balance-sheet optimization can also be linked to 
the stress-testing activities that banks have started to build up as a response to regulatory 
requirements; the performance of banks under stress is expected to increasingly become 
the binding regulatory constraint, and this will need to be reflected in optimization efforts. As 
a result, balance-sheet optimization can become the nucleus of a sophisticated regulatory- 
management function that could be shared by risk management, finance, and strategy. 


Initiative 5: Putting the enablers in place 

Several enablers also need to be in place to make the vision a reality. These could include the 
buildup of supporting IT/data infrastructure, the necessary talent pool, and risk culture. Banks 
could put some of these enablers in place through several measures: 


m Shift the risk function’s recruiting focus. One of the function’s most significant challenges will 


likely be achieving the shift in its talent mix over time. For risk functions to make a smooth 
transition, they need to start now and combine initiatives, so they can attract more tech- 
savvy and entrepreneurial talent while decreasing the number of traditional staff in more 
operational areas through digitization and other means. 


= Create data infrastructure. As described previously, a flexible data infrastructure (e.g., 
data lakes) is expected to help banks create a repository for all types of structured and 
unstructured data. Banks can then use the data for different use cases such as credit 
underwriting, monitoring and early warning, or fraud detection. Since risk functions in the 
future are expected to become increasingly data driven, a supporting data infrastructure 
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is likely to be a critical enabler. Such an infrastructure cannot be built in isolation, however. 
It has to be part of an enterprise-wide effort that addresses at once the data needs of both 
businesses and control functions. 


= Enhance risk culture. Building and maintaining a robust risk culture will be critical to 
ensuring the success of the risk function of the future. A robust risk culture is also likely to 
be arequisite element in banks’ future competitive advantage. Although risk culture has 
gained traction in the last few years, many banks are only beginning to institutionalize it. The 
target vision of the risk function is expected to have an explicit aspiration with values and 
norms that the organization can use to manage risk. These values will most likely promote 
informed, conscious risk taking based on its risk appetite, coupled with the necessary 
checks and control systems to continuously detect, assess, and mitigate risks, as well as 
transparent procedures to follow up on breaches and deviations. 


A strong, organization-wide risk culture is expected to be essential for three reasons. First, 
although the trends and changes we have articulated provide a clear path for getting things 
done, individuals are the ones who make it possible. For example, they need to define business 
practices, adhere to ethical principles, and ensure governance as part of their day-to-day 
work. Second, while the new risk function will most likely possess sophisticated analytical and 
technical capabilities, a strong, widespread risk culture is necessary to ensure that these are 
appropriately and ethically applied. In addition, they need to be effectively challenged, and 
appropriate checks and balances should exist for the technical capabilities. These latter will 
most probably require substantial human intervention and are most effective when a broad set 
of stakeholders from across the bank perform them routinely. Lastly, an organization-wide risk 
culture is expected to enable banks to manage the more decentralized activities and models 
that newer technologies make possible. This is particularly true at larger institutions. 


Banks’ risk-culture aspiration and values should identify specific attributes that are desired, as 
well as those that are not. Such a statement is often developed by engaging many stakeholders 
at the bank. After identifying the aspiration, the bank assesses the current risk culture and 
identifies its strengths and improvement opportunities. Strengthening the risk culture also 
requires changing individual’s mind-sets and behaviors. First, the bank is expected to foster 
understanding and conviction about what changes are needed and why they are important 

to individuals and the bank. Second, various initiatives would develop the talent and skills that 
are needed to fulfill the various changes. Third, formal mechanisms would reinforce the new 
processes and procedures. These could include evaluation and compensation mechanisms, 
governance, and the accountability of the front line. Finally, role-modeling of desired behaviors 
by senior management would supplement all of these. This is one of the most important and 
impactful levers for change. 


Making and maintaining changes to risk culture is no mean feat. It requires a multiyear program 
that emphasizes different elements of the desired culture if the organization as a whole is going 
to make meaningful progress. In a certain way, it can be misleading to talk about a program, 
because embedding the culture requires that it be woven into the fabric of the organization and 
its core processes. We believe that it is highly likely to be a key pillar of future risk management 
and well worth the investment and effort. 
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In sum 


Bank risk management will likely look dramatically different by 2025, when it has become a 
core part of banks’ strategic planning, a close collaborator with business heads, and a center 
of excellence in analytics and de-biased decision making. Its ability to manage multiple risk 
types while preparing for new regulations and complying with current ones is expected to 
make it even more invaluable to financial institutions, and its role in creating fulfilling customer 
experiences will most probably transform it into a key contributor to banks’ bottom lines. The 
risk function is also expected to become increasingly a differentiating factor among banks, 
helping to determine which ones succeed. However, the only risk functions that are likely to 
achieve this state are those that undertake a wholesale, ambitious transformation—and that 
start to do so now. For those that do, a wealth of potential value awaits. 
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